These slides were presented during an exclusive briefing and community review on our current research and development to redefine Zero Trust in identity first terms.
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Identiverse Zero Trust Customer Briefing, Identiverse 2019
1.
2. Evolution of Identity and It’s Impact
Employees
Perimeter
Employees
and Partners
Consumers
Perimeter-less
Federation
Cloud / SaaS
Things
Perimeter-less
Federation
Cloud / SaaS
Mobility
Relationships
Attributes
Context
Stateless
IT EFFICIENCY
IT COMPLIANCE
SECURITY
API
AI
API
BUSINESS AGILITY
UX
Perimeter
Federation
Source: Optiv
3. Enterprise Challenges
Cybersecurity is relentlessly, cumulatively challenging
Compromised identities are still the leading cause of breaches
– “The exploitation of usernames and passwords by nefarious
actors continues to be a ripe target…” ITRC 2018 End-of-Year Data
Breach Report
Single vendor approaches are not working
4. Identity is a critical cybersecurity technology
Foundation for a New Approach
Cybersecurity technologies must fundamentally work
together if they are to achieve meaningful effectiveness
Every business transaction, attack surface or target involves a
credential and a service or piece of data
Given the cumulative investment in security, each new
investment is increasingly measured for its ability to make
the whole more effective
5. Steers the focus away from single point
defense mechanisms to include a
broader set of identity and security
components
Benefits of Identity Defined Security
Delivers a fresh, balanced set of
detective and preventive controls
Enables organizations to tackle security
with a more precise, identity-aware and
identity-specific approach
Leverages increasingly open and API-
first tech stacks
“Users” Data
SECURITY
IDENTITY
CONTEXT, RISK, POLICY, WORKFLOW
Network “Service”“Client”
Identity Service y...
Identity Service x...
Security Service y...
Security Service x...
7. .
The Identity Defined Security Alliance is a non-
profit organization that facilitates community
collaboration to develop a framework and
practical guidance that helps organizations put
identity at the center of their security strategy.
8. Deliver on our mission through…
Cross vendor collaboration
Thought leadership through blogs, webinars, speaking
Identity Centric Security Framework - vendor-agnostic best
practices, security controls, use cases
Customer implementation stories
Virtual community for sharing experiences and validation
Identity Defined Security Alliance
12. NetworkDevice StorageApplicationCompute
How can we make identity and security
work better together?
Authentication
Authorization
Identity Governance & Administration
“Embedded” Security Services
18. Best Practices to Prepare for
Identity Defined Zero Trust
• Formalize authoritative source(s) for identity life cycle, attributes
and serialization
• Develop a scalable and sustainable directory, attribute and group
structure and process
• Identify sensitive data location, access and ownership
• Identify privileged accounts and entitlements
• Establish sources for identity context and risk
• Enhance security operations technology, training and process
with identity concepts/scope
19. Core Methods of Identity Defined Zero Trust
• Ensure all data, applications and infrastructure are accessed
securely, with authentication and access control matched to the
identities, privileges and context involved
• Govern identities and permissions with a least privileged access
strategy
• Log and analyze all user and process behaviors
• Apply an identity-specific approach to incident prioritization,
analysis, response and remediation
20. Identity Defined Security Controls
• AM+IGA: Synchronization of SSO Access Panel with Governance-driven Provisioning
• IGA+PAM: Lifecycle Provisioning/De-provisioning of Privileged Access
• AM+CASB: SSO through Proxy Server for Robust yet Transparent Auditing/Enforcement
• AM+UEM: Login Redirected for Unmanaged Device
• AM+UEM: Login Denied for Compromised Device
• AM+PAM: Step-up Authentication for Privileged Account Access
• AM+UEM+PAM: Login Denied for Compromised Device Accessing Privileged Account
• PAM+DS: Govern SSO and Authorization Policy for Privileged Access
• DLP+PAM: Privileged Session Termination upon Data Leakage Event
• SIEM/UEBA/SOAR+PAM: Privileged Session Management in Response to Security Incident
• SIEM/UEBA/SOAR+IGA: Identity Governance in Response to Security Incident
• IGA+PAM: Certification of Privileged Accounts
• IGA+DAG: Certification of Sensitive Data Access by Data Owner
Let’s pick a few
and apply to
Zero Trust...
21. ID Security Control xxx
AM+PAM: Step-up Authentication for Privileged Account
Access
• Integrate Components:
– Access Management + Privileged Access
Management
• What Happens:
– All logins to privileged accounts through
the PAM system require stepped-up
authentication
• Value to Organization:
– Significantly reduced risk of illegitimate use
of legitimate privileged accounts
– Zero Trust of password/key sharing
diligence, especially on system accounts
“Users” Data
SECURITY
IDENTITY
CONTEXT, RISK, POLICY, WORKFLOW
Network “Service”“Client”
PAM
AM
22. ID Security Control xxx
IGA+PAM: Lifecycle Provisioning/De-provisioning of Privileged
Access
• Integrate Components:
– Privileged Access Management + Identity
Governance
• What Happens:
– Changes in identity status trigger
automated changes to privileged accounts
• Value to Organization:
– Empower new privileged users faster and
eliminate inappropriate privileges
proactively, especially upon termination
– Zero Trust of “appropriate use”
discipline, especially concerning former
employees
“Users” Data
SECURITY
IDENTITY
CONTEXT, RISK, POLICY, WORKFLOW
Network “Service”“Client”
PAM
IGA
23. ID Security Control xxx
AM+UEM: Login Denied for Compromised Device
• Integrate Components:
– Access Management + Unified Endpoint
Management
• What Happens:
– AM checks UEM and denies login if device
in question has been flagged for indicators
of compromise
• Value to Organization:
– Stop lateral movements made easier by
compromised devices
– Zero Trust of device security
“Users” Data
SECURITY
IDENTITY
CONTEXT, RISK, POLICY, WORKFLOW
Network “Service”“Client”
UEM
AM
24. ID Security Control xxx
AM+UEM+PAM: Login Denied for Compromised Device
Accessing Privileged Account
• Integrate Components:
– Access Management + Unified Endpoint
Management
• What Happens:
– AM checks UEM and denies login if device
in question has been flagged for indicators
of compromise and the login target is a
privileged account
• Value to Organization:
– Stop lateral movement “payoffs” made
easier by compromised devices
– Zero Trust of device security, especially
concerning privileged account logins
“Users” Data
SECURITY
IDENTITY
CONTEXT, RISK, POLICY, WORKFLOW
Network “Service”“Client”
PAM
AM
UEM
25. Customer Resources
Adobe Finds ZEN Using Identity-Centric Security
“Working with the IDSA is a great opportunity to help
drive innovation across the tech industry with vendors
and solution providers alike. Adobe benefits through
exposure to vendors, use cases and community best
practices that help elevate and strengthen our identity
and security teams.”
-Den Jones, Director of Enterprise Security, Adobe
LogRhythm’s Journey to Zero Trust